diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 30a60bc3c..6ff35511e 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -25,7 +25,7 @@ # loaded after this one and replaces some of the functions declared here. # -SHOREWALL_CAPVERSION=40514 +SHOREWALL_CAPVERSION=40515 [ -n "${g_program:=shorewall}" ] @@ -2200,6 +2200,7 @@ determine_capabilities() { ARPTABLESJF= MASQUERADE_TGT= UDPLITEREDIRECT= + NEW_TOS_MATCH= AMANDA_HELPER= FTP_HELPER= @@ -2371,6 +2372,7 @@ determine_capabilities() { qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes + qt $g_tool -t mangle -A $chain -m tos --tos 0x10/0xff && NEW_TOS_MATCH=Yes qt $g_tool -t mangle -F $chain qt $g_tool -t mangle -X $chain @@ -2612,6 +2614,7 @@ report_capabilities_unsorted() { report_capability "Arptables JF" $ARPTABLESJF report_capability "MASQUERADE Target" $MASQUERADE_TGT report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT + report_capability "New tos Match" $NEW_TOS_MATCH report_capability "Amanda Helper" $AMANDA_HELPER report_capability "FTP Helper" $FTP_HELPER @@ -2733,6 +2736,7 @@ report_capabilities_unsorted1() { report_capability1 ARPTABLESJF report_capability1 MASQUERADE_TGT report_capability1 UDPLITEREDIRECT + report_capability1 NEW_TOS_MATCH report_capability1 AMANDA_HELPER report_capability1 FTP_HELPER diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index b1e5dc865..10cead5ee 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4791,10 +4791,11 @@ sub decode_tos( $$ ) { return ''; } - my $mask = 0xff; + my $mask = have_capability( 'NEW_TOS_MATCH' ) ? 0xff : ''; my $value; if ( $tos =~ m"^(.+)/(.+)$" ) { + require_capability 'NEW_TOS_MATCH', 'A mask', 's'; $value = numeric_value $1; $mask = numeric_value $2; } elsif ( ! defined ( $value = numeric_value( $tos ) ) ) { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 613ce8251..b652f8465 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -362,6 +362,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', ARPTABLESJF => 'Arptables JF', MASQUERADE_TGT => 'MASQUERADE Target', UDPLITEREDIRECT => 'UDPLITE Port Redirection', + NEW_TOS_MATCH => 'New tos Match', AMANDA_HELPER => 'Amanda Helper', FTP_HELPER => 'FTP Helper', @@ -656,7 +657,7 @@ sub initialize( $;$$) { KLUDGEFREE => '', STATEMATCH => '-m state --state', VERSION => "4.5.13-Beta3", - CAPVERSION => 40514 , + CAPVERSION => 40515 , ); # # From shorewall.conf file @@ -912,6 +913,7 @@ sub initialize( $;$$) { ARPTABLESJF => undef, MASQUERADE_TGT => undef, UDPLITEREDIRECT => undef, + NEW_TOS_MATCH => undef, AMANDA_HELPER => undef, FTP_HELPER => undef, @@ -3769,6 +3771,10 @@ sub Xconnmark() { have_capability( 'XCONNMARK_MATCH' ) && have_capability( 'XMARK' ) && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" ); } +sub New_Tos_Match() { + qt1( "$iptables -t mangle -A $sillyname -m tos --tos 0x10/0xff" ); +} + sub Classify_Target() { have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" ); } @@ -4146,6 +4152,7 @@ our %detect_capability = OLD_CONNTRACK_MATCH => \&Old_Conntrack_Match, OLD_HL_MATCH => \&Old_Hashlimit_Match, OLD_IPP2P_MATCH => \&Old_Ipp2p_Match, + NEW_TOS_MATCH => \&New_Tos_Match, OWNER_MATCH => \&Owner_Match, OWNER_NAME_MATCH => \&Owner_Name_Match, PERSISTENT_SNAT => \&Persistent_Snat, @@ -4311,6 +4318,7 @@ sub determine_capabilities() { $capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' ); $capabilities{MASQUERADE_TGT} = detect_capability( 'MASQUERADE_TGT' ); $capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' ); + $capabilities{NEW_TOS_MATCH} = detect_capability( 'NEW_TOS_MATCH' ); if ( have_capability 'CT_TARGET' ) { $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) );